Case Study 7.2: The SAR Filing Decision — When the Data Says "Maybe"

The Situation

Context: Priya Nair is advising a mid-size UK challenger bank (fictional: Axiom Digital Bank) on improving its AML transaction monitoring program Challenge: Axiom's analysts face a recurring problem — alerts where the transaction data is genuinely ambiguous and the SAR filing decision is not clear-cut Focus: The human judgment at the end of the monitoring pipeline, and what supports good decisions under uncertainty

Background: Axiom's Ambiguity Problem

Axiom Digital Bank had implemented a hybrid AML monitoring program — rules-based scenarios augmented by ML risk scoring — twelve months before Priya's engagement. The technology side was working. Alert volume had been brought under control. False positive rate was tracking at approximately 80%, well below the 95% industry average for pure rules-based programs.

But Axiom's Quality Assurance team had identified a consistent pattern in analyst decisions: a 15% disagreement rate between analyst disposition and QA reviewer assessment. Most disagreements weren't about clear false positives or obvious SARs — those were being decided consistently. The disagreements clustered in the middle: genuinely ambiguous cases where reasonable compliance professionals disagreed about whether the threshold for SAR filing had been crossed.

Axiom's Head of Financial Crime asked Priya to analyze a sample of the disagreement cases and develop recommendations for the decision framework.

The Three Cases

Priya's analysis focused on three representative cases from the disagreement sample.

Case A: The Unexplained Payment Pattern

Account: Sofia Okonkwo, retail customer, 3-year relationship with Axiom Trigger: Unusual payment recipient scenario — series of payments to a recipient category not seen in customer's prior 3-year history Activity: Sofia received her regular salary (£3,200 monthly from NHS employer). Beginning in January, she began making five payments of £200–£400 each month to a new recipient: "FastCash247 Ltd" — an FCA-registered credit services business.

The ambiguity: FastCash247 Ltd was on no watchlist and had no adverse media. The payments could reflect a legitimate personal loan repayment. They could also reflect a loan sharking arrangement where Sofia was paying on behalf of a third party, or a scam where she was making payments under duress.

Analyst decision: Closed (no suspicious activity). Rationale: "Customer has established salary receipts consistent with profile. Payments to FCA-registered business. No indicators of third-party payments or coercion."

QA reviewer assessment: Escalate for enhanced review. Rationale: "Payment pattern is inconsistent with customer's 3-year profile. 'FastCash247 Ltd' while FCA-registered has characteristics of high-cost short-term credit. Would benefit from account review of customer's full payment history and consideration of whether this could be authorised push payment fraud victimisation."

Case B: The Cash-Heavy Business

Account: Riverside Catering Ltd, business current account, 18-month relationship Trigger: Cash deposit volume scenario — monthly cash deposits exceeding 150% of account average Activity: Riverside Catering is a catering and events business. Its July cash deposits were £28,000 against a 6-month average of £11,500. Company director explained in a previous KYC review that they handle private events including weddings, which are often paid partly in cash.

The ambiguity: The July spike coincided with the UK summer wedding season. The amount was large but potentially explained by a single large event. Alternatively, the spike could represent cash from an undisclosed additional business activity.

Analyst decision: Closed. Rationale: "Cash volume increase consistent with seasonal pattern for events business. Director previously explained cash-intensive business model in KYC review."

QA reviewer assessment: Also closed. Agreement on outcome, but reviewer noted the analyst's documentation should have included: (1) a reference to the KYC file entry confirming the director's explanation, (2) a note checking whether July sales invoices exist to corroborate the cash volume. "The decision is right but the audit trail is incomplete."

Case C: The International Structure

Account: Zenith Trading Partners Ltd, business current account, 8-month relationship Trigger: Multiple scenarios triggered simultaneously: (1) round-dollar international wires, (2) rapid in-and-out movement, (3) first-time high-value counterparty Activity: Zenith received a £75,000 wire from a UAE entity (Al-Rashid Commercial Group) and sent £72,000 to a separate UAE entity (Arabian Horizons LLC) five days later. The retained £3,000 appears to be a margin or fee. Zenith's stated business purpose: "trade facilitation and commodity brokerage."

The ambiguity: UAE is not a sanctions-listed jurisdiction. The transaction pattern — receiving funds, retaining a margin, passing on the balance — is consistent with a legitimate trade facilitation role. It is equally consistent with pass-through money movement using a trade cover story. The counterparties were not on any watchlist. Zenith had an 8-month history with no prior escalations.

Analyst decision: Escalate to senior review (not auto-SAR, not closed — escalated for a second opinion).

QA reviewer assessment: SAR should have been filed. Rationale: "First-time high-value counterparties in both directions, pass-through structure retaining small margin, UAE jurisdiction (enhanced scrutiny), 8-month-old relationship with limited account history to explain this transaction pattern. Individually these are explainable; together they cross the threshold for objective suspicion."

The disagreement: The analyst chose to escalate rather than file; the QA reviewer assessed that the combined indicators crossed the SAR filing threshold. Both were reasonable positions — the disagreement is about where exactly the line is.

Priya's Framework Analysis

After reviewing these cases and the broader disagreement sample, Priya identified three root causes of the ambiguity problem:

Root Cause 1: Insufficient documentation standards Case B illustrated a class of disagreements where the disposition was correct but the documentation was insufficient for a QA reviewer to confirm this. The fix here is not a judgment improvement — it is a documentation template that prompts analysts to record the specific evidence that supports their conclusion, not just the conclusion.

Root Cause 2: Unclear threshold for SAR filing Case C illustrated genuine disagreement about where the objective suspicion threshold is. UK law requires SAR filing when a person "knows or suspects" that another person is engaged in money laundering. "Suspects" is a lower bar than "believes" or "has evidence." Axiom's internal policy did not give analysts a clear framework for what combination of indicators crosses the suspicion threshold.

Root Cause 3: Inadequate context integration Case A illustrated a situation where the analyst's review focused on the immediate transaction context (payments to an FCA-registered business) without adequately considering the customer protection context (could this customer be an authorised push payment fraud victim?). The analyst was reviewing a financial crime monitoring alert through an AML lens when the correct lens was broader.

Priya's Recommendations

1. The Suspicion Standard Matrix

Priya developed a decision matrix for SAR filing that Axiom implemented as an analyst reference tool:

Stage 1 — Base suspicion assessment Is there at least one objective indicator inconsistent with the customer's known profile or stated business purpose? - YES → proceed to Stage 2 - NO → close (document basis)

Stage 2 — Explanation availability Is there a plausible legitimate explanation for the indicator that is both consistent with the customer's profile AND corroborated by available evidence? - YES (corroborated) → close (document corroboration source) - YES (plausible but not corroborated) → proceed to Stage 3 - NO → file SAR

Stage 3 — Indicator accumulation Does the indicator combine with other unexplained indicators to create a pattern that crosses the objective suspicion threshold? - Pattern present (two or more unexplained indicators pointing in the same direction) → file SAR - Isolated indicator, no pattern → escalate for senior review - Senior review concurs: insufficient for SAR → close (document senior concurrence)

This matrix did not eliminate all judgment — Stage 3 still required professional assessment. But it reduced the most common disagreements by creating a structured pathway from observation to decision.

2. Documentation Templates by Scenario Type

For each of Axiom's 22 monitoring scenarios, Priya developed a minimum documentation template specifying what the analyst must record before closing an alert. For the cash deposit scenario, the template required: customer's stated business purpose (from KYC file reference), whether seasonal or event-specific explanation was cited, whether any corroborating evidence (invoices, receipts, prior transaction history) existed and was reviewed.

3. Expanded Alert Context Panel

The third recommendation was a technology change: expanding the analyst's alert review interface to include, alongside the triggering transactions, a "context summary" pulling from the KYC file, prior alert history, and related account activity. The goal was to make the Case A problem harder — it should be difficult for an analyst to review a payment pattern alert without seeing the customer's full 3-year payment history displayed alongside.

Results: Six Months Post-Implementation

The increase in analyst review time (22 to 26 minutes) was expected — better documentation and context integration takes longer. The question Axiom's Head of Financial Crime posed to Priya: "Are we filing more SARs because we're actually catching more suspicious activity, or because the framework is pushing analysts toward more SAR filings?"

Priya's answer: "Both, and both are correct responses to the system we inherited. The prior framework was suppressing SAR filings by leaving analysts without a clear suspicion threshold. The framework improvement is surfacing genuine suspicious activity that was being systematically under-reported."

Discussion Questions

1. Case C involved an analyst choosing to escalate rather than file a SAR directly. Escalation (to a senior reviewer) is a valid intermediate step, but UK law creates personal liability for individuals who "know or suspect" money laundering and fail to file a required report. What institutional policies should govern analyst decisions to escalate rather than file directly?

2. Priya's suspicion standard matrix is a simplification of a genuinely complex legal standard. What are the risks of over-systematizing the SAR filing decision? Could a matrix approach create mechanical compliance that misses the spirit of the suspicious activity reporting obligation?

3. The SAR filing rate increased from 1.2% to 1.8% of reviewed alerts following the framework implementation. From a regulatory perspective, is a higher SAR filing rate always better? What would an excessively high SAR filing rate indicate about the quality of the monitoring program?

4. Case A involved a potential financial crime victimization scenario (the customer as fraud victim rather than money laundering perpetrator). How should a transaction monitoring program be designed to surface potential fraud victimization alongside traditional AML typologies?

5. The QA reviewer disagreement rate fell from 15% to 6% — but 6% of alert decisions still involve genuine reasonable disagreement between experienced professionals. Is eliminating all QA disagreement a realistic or desirable goal? What does residual disagreement tell us about the limits of systematizing professional judgment in financial crime compliance?